Commit 212efed2 authored by Chad Barb's avatar Chad Barb
Browse files

Rewrote most of code (some bits of original remain)

Now, data checking is improved, as well as code quality and consistency.t


I also hate vi.
parent 5f542c1e
This diff is collapsed.
<?
/*
* WebDB - testbed adaptation of:
*
* MySQL Web Interface Version 0.8
* -------------------------------
* Developed By SooMin Kim (smkim@popeye.snu.ac.kr)
* License : GNU Public License (GPL)
* Homepage : http://popeye.snu.ac.kr/~smkim/mysql
*/
function sanitizeSQLName( $n ) {
// XXX fix.
$r = strtr( $n, " '\"$!@#%^&()*\\[]{}<>,./?=+~`",
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" );
return $r;
}
function quoteForSQL( $l ) {
return "'" . str_replace( "$", "\\$", addslashes( $l ) ) . "'";
// return "'" . mysql_escape_string( $l ) . "'"; // not supported in current version. :(
}
function linkToViewDB( $text, $dbname ) {
global $PHP_SELF;
return "<a href=\"$PHP_SELF?dbname=$dbname\">$text</a>";
}
function linkToViewServer( $text ) {
global $PHP_SELF;
// use view action so we don't kick them into default database.
return "<a href=\"$PHP_SELF?action=view\">$text</a>";
}
function linkToViewTable( $text, $dbname, $tablename ) {
global $PHP_SELF;
return "<a href=\"$PHP_SELF?dbname=$dbname&tablename=$tablename\">$text</a>";
}
function linkToViewTableExtra( $text, $extra, $dbname, $tablename ) {
global $PHP_SELF;
return "<a href=\"$PHP_SELF?dbname=$dbname&tablename=$tablename&$extra\">$text</a>";
}
function setError( $text ) {
$title_header = "Error";
$body_header = "Error: $text";
}
function assertViewPermission() {
global $readTablePerm, $tablename;
if ($readTablePerm == 0) {
setError( "Not allowed to view table '$tablename'" );
return 0;
} else {
return 1;
}
}
function assertAddEditPermission() {
global $addEditRowPerm, $tablename;
if ($addEditRowPerm == 0) {
setError( "Not allowed to add or edit rows in table '$tablename'" );
return 0;
} else {
return 1;
}
}
function assertDeletePermission() {
global $deleteRowPerm, $tablename;
if ($deleteRowPerm == 0) {
setError( "Not allowed to delete rows from table '$tablename'" );
return 0;
} else {
return 1;
}
}
function encap( $c, $tag, $first ) {
if ($first != "") {
return "<$tag $first>$c</$tag>";
} else {
return "<$tag>$c</$tag>";
}
}
function _form( $c ) {
global $PHP_SELF;
return "<form action='$PHP_SELF' method=post>\n" . $c . "</form>\n";
}
function _input_hidden( $var, $val ) {
return "<input type=hidden name=$var value=\"$val\">\n";
}
function _input_text( $var, $val, $size ) {
return "<input type=text name=$var value=\"$val\" size=$size>\n";
}
function _input_submit( $val ) {
return "<input type=submit value=\"$val\" name=$val>\n";
}
function _table( $c ) { return encap( $c, "table", "cellspacing=0 cellpadding=5"); }
function _tr( $c ) { return encap( $c, "tr", "align=left"); }
function _th( $c ) { return encap( $c, "th", "align=left"); }
function _th2( $c, $o ) { return encap( $c, "th", "align=left $o"); }
function _td( $c ) { return encap( $c, "td", ""); }
function _p( $c ) { return encap( $c, "p", ""); }
function _b( $c ) { return encap( $c, "b", ""); }
function _i( $c ) { return encap( $c, "i", ""); }
function _link( $c, $vars ) {
global $PHP_SELF;
return encap( $c, "a", "href=\"$PHP_SELF?$vars\"" );
}
function _link2( $c, $vars, $o ) {
global $PHP_SELF;
return encap( $c, "a", "href=\"$PHP_SELF?$vars\" $o" );
}
function listDatabases() {
global $mysqlHandle, $body;
$body .= _p( "Click to view tables in database. ") .
_p( _b("Note:") .
_i("Due to security concerns, " .
"you may only view databases with names " .
"containing the substring \"tbdb\"." ));
$table = _tr( _th("database name") );
$pDB = mysql_list_dbs( $mysqlHandle );
$num = mysql_num_rows( $pDB );
for( $i = 0; $i < $num; $i++ ) {
$dbname = mysql_dbname( $pDB, $i );
$table .= _tr( _td( linkToViewDB( $dbname, $dbname ) ) );
}
$body .= _table( $table );
}
function listTables() {
global $mysqlHandle, $dbname, $body;
$body .= _p( "Click to view or edit table information." );
$pResult = mysql_query( "SELECT * FROM comments WHERE column_name IS NULL" );
if ($pResult != "") {
$num = mysql_num_rows( $pResult );
for( $i = 0; $i < $num; $i++ ) {
$field = mysql_fetch_array( $pResult );
$table_comment[$field["table_name"]] = $field["description"];
}
}
$pTable = mysql_list_tables( $dbname );
if( $pTable == 0 ) {
$msg = mysql_error();
setError( "$msg" );
return;
}
$rows = mysql_num_rows( $pTable );
$table = _tr(_th("table name") . _th("description"));
for( $i = 0; $i < $rows; $i++ ) {
$tablename = mysql_tablename( $pTable, $i );
$row = _td( _b( linkToViewTable( $tablename, $dbname, $tablename ) ) );
if ($table_comment[$tablename] != "") {
$row .= _td( _i( $table_comment[$tablename] ) );
}
$table .= _tr( $row );
}
$body .= _table( $table );
}
function setTableDescription( $tablename, $description )
{
global $mysqlhandle, $dbname;
$a = quoteForSQL( $tablename );
$c = quoteForSQL( $description );
$q1 = "DELETE FROM comments WHERE table_name=$a AND column_name IS NULL";
$q2 = "INSERT INTO comments VALUES ($a, NULL, $c)";
mysql_query( $q1 );
if ($description != "") {
mysql_query( $q2 );
}
}
function viewData() {
global $mysqlHandle, $dbname, $tablename, $orderby, $body, $dliquid, $set, $cancel;
global $description;
global $addEditRowPerm, $deleteRowPerm;
//// begin description crap
if ($set != "" && $cancel == "") {
setTableDescription( $tablename, $description );
}
$query = "SELECT * FROM comments WHERE column_name IS NULL AND table_name=" . quoteForSQL( $tablename );
$pResult = mysql_query( $query );
if ($pResult) {
$rows = mysql_num_rows( $pResult );
if ($rows == 0) {
$description = "No description.";
$realDescription = "";
} else {
$row = mysql_fetch_array( $pResult );
$description = $row["description"];
$realDescription = $description;
}
if ($dliquid == "") {
$body .= _p( _b( "description:" ) . " " . _i( $description) .
"[" . linkToViewTableExtra( "change", "dliquid=1", $dbname, $tablename) . "]" );
} else {
$body .= _form(
_b( "Description" ) .
_input_hidden( "dbname", $dbname ) .
_input_hidden( "tablename", $tablename ) .
_input_text( "description", $realDescription, 80 ) .
_input_submit( "set" ) .
_input_submit( "cancel" )
);
}
} else {
$body .= _b( "no description table.\n");
}
//// end description crap
$query = "SELECT * FROM $tablename";
if($orderby != "") {
$query .= " ORDER BY $orderby";
}
$pResult = mysql_query( $query );
if ($pResult == "") {
setError( mysql_error() );
return;
}
$cols = mysql_num_fields( $pResult );
$table = "";
$row = "";
for ( $i = 0; $i < $cols; $i++) {
$field = mysql_fetch_field( $pResult, $i );
$name = $field->name;
$header = linkToViewTableExtra( $name, "orderby=$name", $dbname, $tablename );
if ( $field->primary_key == 1 ) {
$header .= "*";
}
$row .= _th( $header );
}
$row .= _th2( "action", "colspan=2" );
$table .= _tr( $row );
while($rowArray = mysql_fetch_row( $pResult )) {
$row = "";
$key = "";
for ($j = 0; $j < $cols; $j++) {
$data = $rowArray[ $j ];
$field = mysql_fetch_field( $pResult, $j );
if( $field->primary_key == 1 ) {
$key .= "&" . "c_" . urlencode( $field->name ) . "=" . urlencode( $data );
}
$row .= _td( htmlspecialchars( $data ) );
}
if ( $key == "" ) {
$row .= _td( "no primary key" );
} else {
if ($addEditRowPerm == 1) {
$row .= _td( "[" . _link( "Edit", "action=editData&dbname=$dbname&tablename=$tablename$key" ) . "]" );
}
if ($deleteRowPerm == 1) {
$row .= _td( "[" . _link2( "Delete", "action=deleteData&dbname=$dbname&tablename=$tablename$key",
"onClick=\"return confirm('Delete Row?')\"" ) . "]" );
}
}
$table .= _tr( $row );
}
$body .= _table( $table );
if ($addEditRowPerm == 1) {
$body .= _p( "[" . _link( _b("Add data row"), "action=addData&dbname=$dbname&tablename=$tablename") . "]" );
}
}
function manageData( $cmd ) {
global $mysqlHandle, $dbname, $tablename;
global $body, $body_header;
if ( $cmd == "add") {
$body_header = "Add row to " . $body_header;
$form = _input_hidden( "action", "addData_submit" );
} else if ($cmd = "edit" ) {
$body_header = "Edit row in " . $body_header;
$pResult = mysql_list_fields( $dbname, $tablename );
$num = mysql_num_fields( $pResult );
$key = "";
for ($i = 0; $i < $num; $i++) {
$field = mysql_Fetch_field( $pResult, $i );
if ($field->primary_key == 1) {
$key .= $field->name . "=" . quoteForSQL( $GLOBALS[ "c_" . $field->name ] ) . " AND ";
}
}
$key = substr( $key, 0, strlen($key) - 4 ); // wipe away last " AND ".
$query = "SELECT * FROM $tablename WHERE $key";
$pResult = mysql_query( $query );
$data = mysql_fetch_array( $pResult );
$body .= _p( _b("Note:") . " " . _i("\"NULL\" in a field (no quotes) will set that field to NULL.") );
$form = _input_hidden( "action", "editData_submit" );
} else {
// this wont happen.
seterror( "Unknown row management function \"$cmd\"" );
return;
}
$form .= _input_hidden( "dbname", $dbname );
$form .= _input_hidden( "tablename", $tablename );
$table = _tr( _th("name") . _th("type") . _th("data") );
$pResult = mysql_query("SHOW fields FROM $tablename" );
$rows = mysql_num_rows( $pResult );
$pResultFields = mysql_list_fields( $dbname, $tablename );
for( $i = 0; $i < $rows; $i++ ) {
$field = mysql_fetch_array( $pResult );
$fieldname = $field["Field"];
$fieldtype = $field["Type"];
if ($cmd == "edit") {
$fieldvalueraw = $data[$i];
} else {
$fieldvalueraw = "NULL";
}
$fieldvalue = htmlspecialchars( $fieldvalueraw );
$len = mysql_field_len( $pResultFields, $i );
$row = _td( $fieldname ) . _td( $fieldtype );
$type = strtok( $fieldtype, " (,)\n" );
if ($type == "enum" || $type == "set") {
if ($type == "enum") {
$cell = "<select name=$fieldname>";
} else {
$cell = "<select name=$fieldname size=4 multiple>\n";
}
$cell .= strtok( "'" );
while ($str = strtok( "'" ) ) {
if ($fieldvalueraw == $str) {
$cell .= "<option selected>$str\n";
} else {
$cell .= "<option>$str\n";
}
strtok( "'" );
}
$cell .= "</select>";
} else {
if ($len < 40) {
$cell = "<input type=text size=40 maxlength=$len name=c_$fieldname value=\"$fieldvalue\">";
} else {
$cell = "<textarea cols=40 rows=3 maxlength=$len name=c_$fieldname>$fieldvalue</textarea>";
}
}
$row .= _td( $cell );
$table .= _tr( $row );
}
$form .= _table( $table );
$form .= "<input type=submit value='$cmd data'>";
$body .= _form( $form );
}
function deleteData() {
global $mysqlHandle, $dbname, $tablename;
$pResult = mysql_list_fields( $dbname, $tablename );
if ($pResult == FALSE) {
setError("Field listing failed.");
return 0;
}
$num = mysql_num_fields( $pResult );
$query = "DELETE FROM $tablename WHERE ";
while($field = mysql_fetch_field( $pResult )) {
if ( $field->primary_key == 1 ) {
$datum = $GLOBALS["c_".$field->name];
if ($datum != "NULL") {
$datum = quoteForSQL( $datum );
}
$query .= $field->name . "=$datum AND ";
}
}
$query = substr( $query, 0, strlen($key) - 4 ); // wipe away last " AND "
mysql_query( $query, $mysqlHandle );
$errMsg = mysql_error();
if ($errMsg != "") {
seterror( $errmsg );
return 0;
}
// echo "<pre>$query</pre>\n";
return 1;
}
function manageData_submit( $cmd ) {
global $mysqlHandle, $dbname, $tablename;
if( $cmd == "add" ) {
$query = "INSERT INTO $tablename VALUES (";
} else {
$query = "REPLACE INTO $tablename VALUES (";
}
$pResult = mysql_list_fields( $dbname, $tablename );
$num = mysql_num_fields( $pResult );
while($field = mysql_fetch_field( $pResult )) {
$datum = $GLOBALS["c_".$field->name];
if ($datum != "NULL") {
$datum = quoteForSQL( $datum );
}
$query .= " $datum,";
}
$query = substr( $query, 0, strlen($key) - 1 ) . " )"; // wipe away last "," and add ")"
mysql_query( $query, $mysqlHandle );
$errMsg = mysql_error();
if ($errMsg != "") {
seterror( $errmsg );
return 0;
}
// echo "<pre>$query</pre>\n";
return 1;
}
/////////////// MAIN
$body = "";
$title_header = "";
$body_header = "";
if ($dbname == "") {
// if there are no params, helpfully default them into tbdb.
if ($action == "") {
$dbname = "tbdb";
}
} else {
$dbname = sanitizeSQLName( $dbname );
if (strstr($dbname,"tbdb") == FALSE) {
$body .= "<h3>Sorry, due to security concerns," .
" you may only view databases with names" .
" containing the substring \"tbdb\";<br>" .
" Defaulting to \"tbdb\".</h3>\n";
$dbname = "tbdb";
}
}
if ($tablename != "") { $tablename = sanitizeSQLName( $tablename ); }
if ($orderby != "") { $orderby = sanitizeSQLName( $orderby ); }
$title_header = "MySQL";
$body_header = linkToViewServer("MySQL");
if ($dbname) {
$body_header .= "::" . linkToViewDB( $dbname, $dbname );
$title_header .= "::" . $dbname;
if ($tablename) {
$body_header = "Table " . $body_header . "::" . linkToViewTable( $tablename, $dbname, $tablename );
$title_header = "Table " . $title_header . "::" . $tablename;
} else {
$body_header = "Database " . $body_header;
$title_header = "Database " . $title_header;
}
} else {
$body_header = "Server " . $body_header;
$title_header = "Server " . $title_header;
}
$HOSTNAME = "localhost";
//echo "<!--";
$mysqlHandle = mysql_pconnect( $HOSTNAME, $USERNAME, $PASSWORD );
//echo "-->";
if ($mysqlHandle == false) {
seterror( "Couldn't connect to MySQL server." );
} else {
if ($dbname != "") {
mysql_select_db( $dbname );
}
$readTablePerm = 1;
$addEditRowPerm = 0;
$deleteRowPerm = 0;
// get permissions.
$query = "SELECT * FROM webdb_table_permissions WHERE table_name=" . quoteForSQL( $tablename );
$pResult = mysql_query( $query );
if ($pResult != FALSE && mysql_num_rows($pResult) > 0) {
$field = mysql_fetch_array( $pResult );
if ($field["allow_read"] != "1") { $readTablePerm = 0; }
if ($field["allow_row_add_edit"] == "1") { $addEditRowPerm = 1; }
if ($field["allow_row_delete"] == "1") { $deleteRowPerm = 1; }
}
if ($action == "" || $action == "view") {
if ($dbname == "") {
listDatabases();
} else {
if ($tablename == "") {
if (assertViewPermission()) { listTables(); }
} else {
if (assertViewPermission()) { viewData(); }
}
}
} else if( $action == "addData" ) {
if (assertAddEditPermission()) { manageData( "add" ); }
} else if( $action == "addData_submit" ) {
if (assertAddEditPermission()) {
$success = manageData_submit( "add" );
if ($success == 1 && $readTablePerm != 0) {
viewData();
}
}
} else if( $action == "editData" ) {
if (assertAddEditPermission()) { manageData( "edit" ); }
} else if( $action == "editData_submit" ) {
if (assertAddEditPermission()) {
$success = manageData_submit( "edit" );
if ($success == 1 && $readTablePerm != 0) {
viewData();
}
}
} else if( $action == "deleteData" ) {
if (assertDeletePermission()) {
$success = deleteData();
if ($success == 1 && $readTablePerm != 0) {
viewData();
}
}
} else {
seterror("Undefined command '$action'");
}
mysql_close( $mysqlHandle);
}
\ No newline at end of file
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment